What is certificate pinning?

Certificate pinning is a security mechanism used in TLS (Transport Layer Security) connections, which establishes a direct trust between an application and the API server it communicates with. It involves associating a specific TLS certificate or public key with the API server, enabling your app to validate the authenticity of the server’s identity during each connection attempt.

When an app communicates with a server, the server presents a digital certificate to establish its identity and enable secure encryption of the data transmitted through APIs between the client and server. Certificate pinning works by comparing the server’s presented certificate with a pre-defined or “pinned” certificate stored within the app.

However, it brings a significant logistical challenge for the app. It requires the app to be updated when the server certificate is rotated, as well as the server operations team to be in sync with the app development and deployment teams, which, in a major enterprise, can cause significant issues.

Vulnerabilities of relying solely on certificate pinning

Although certificate pinning is an essential security measure, it has limitations. Relying solely on it can leave an app vulnerable to specific threats, especially when it’s running on a rooted or jailbroken device.

Why certificate pinning alone can’t stop man-in-the-app attacks

Man-in-the-middle (MitM) attacks, better known as man-in-the-app (MitA) in the mobile space, are a serious threat to your app’s communication with the API server, even with certificate pinning in place. If a device is rooted or jailbroken, the attacker can gain administrative privileges, allowing them to instrument the application and bypass pinning controls. Additionally, the app can also be vulnerable to repackaging, code injections, debugging, and other attacks if not properly protected. As a result,, hackers can intercept and manipulate the communication between your app and the server, compromising the integrity and confidentiality of the data exchanged.

Consequences of insufficient protection

The repercussions of falling victim to MitA attacks, tampered or fake apps, as well as other attacks, can be severe for both your app and your business. Let’s explore some potential consequences:

1. Data breaches and identity theft
   Hackers can use passive MitA attacks to intercept sensitive user data, including personal information, passwords, and banking details. This information can be exploited for identity theft, fraud, or other malicious purposes, causing significant harm to your users and tarnishing your app’s reputation.
2. Payload manipulation and malware injection
   Active MitA attacks enable hackers to tamper with certificate checks and redirect users to malicious or fake proxies and servers. By injecting malware into what appears to be a secure session, attackers can compromise user devices, steal confidential information, or facilitate further cyber attacks.
3. Unauthorized app distribution
   Through MitA attacks, hackers can get access to the app’s logic to create modified versions with malicious intent. These fake versions with compromised certificate pinning may be distributed with the intent to connect to genuine APIs, leading unsuspecting users to install counterfeit apps that put their security at risk. This not only undermines user trust but can also result in legal and financial ramifications for your business.

How to strengthen your app’s security beyond certificate pinning

To bolster your app’s defenses against the vulnerabilities of relying solely on certificate pinning, consider implementing the following solutions:

App shielding

Using app shielding tools like Promon SHIELD™, can significantly enhance your app’s security. App shielding includes features like repackaging protection, anti-debugging, anti-emulator techniques, and hooking detection to block attacks targeted at the TLS pinning code. By proactively defending your app against reverse engineering and tampering, you can deter attackers and protect your sensitive data effectively.

Secure encryption of data

Organizations may implement certificate pinning for API security only to discover that it’s not sufficient in this use case. Encryption adds another layer of protection. As such, businesses could encrypt other pieces of data, such as API keys, to make the API harder to access from an unauthorized application or device. While API keys are typically used to authenticate and authorize access to APIs, encrypting them provides several benefits:

• Maintaining the confidentiality of the keys and preventing misuse
• Mitigating unauthorized access to the API
• Tying the API keys to specific authorized devices and apps
• Protecting against key leakage

With a solution like Promon’s Secure Application ROM (SAROM), you can encrypt and store API keys securely within SHIELD. With SAROM, assets are automatically encrypted during shielding and only decrypted at application runtime when needed by the application code.

Some companies may choose to use Mutual Transport Layer Security (mTLS), which establishes a mutual authentication process between an app and an API server. This method can require private keys to be saved on both the API and app side, which are used for encryption and digital signatures during the mutual authentication process. However, mTLS has its vulnerabilities, such as certificate validation issues, single point of failure in case the single private key is compromised, or certificate expiry and revocation.

App attestation

If your app communicates with multiple APIs, you should consider adding an additional layer of verification on the API side. A solution like Promon SHIELD™ App Attestation validates the authenticity of the app attempting to connect to the API, ensuring that it is legitimate and secure. By ensuring the app’s integrity, you can prevent unauthorized or compromised apps from accessing sensitive resources, enhancing your overall security posture. Therefore, even if a malicious actor transforms your API into an open API, SHIELD App Attestation effectively prevents them from being used anywhere else except your authorized applications.

Conclusion

Certificate pinning is an essential security practice for safeguarding the app’s connection to a genuine API in today’s threat landscape. However, securing the certificate pinning implementation through application shielding can safeguard the communication between your app and APIs even more. By adding app attestation to the mix, you will also ensure that your API validates that the apps they communicate with are indeed genuine and not modified. Thus, you can strengthen your apps’ and APIs’ real-time protection and safeguard your business from the harmful consequences of cyber attacks.